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DETAILED ACTION 

Claims 1,2,4, 5, 7-1 1 are presented for examination. 

Continued Examination Under 37 CFR 1.114 
A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 23 
February 2009 has been entered. 

Response to Arguments 
Applicant's arguments with respect to claims 1 , 2, 4, 5 and 7-1 1 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1 . Claims 1-5 and 7-1 1 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over Sakai et al (JP 09-128264 A), hereinafter referred to as Sakai, in view of Hollander 
et al (U.S. Pat 6301699 B1), hereinafter referred to as Hollander. A translated copy of 
Sakai was provided in an earlier Office Action. 
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Re claims 1. 2. 4-7 : Sal<ai teaches a data processing method including receiving 
input data containing a plurality of instruction codes, said method comprising: 

retrieving an instruction code related to a branch instruction from the data (page 
18, lines 12-17); 

storing a branch origin address associated with the retrieved instruction code 
(page 13, lines 5-9; page 14, lines 15-20) and a branch destination address associated 
with a branch destination of the instruction code (page 8, fourth step; page 13, lines 5-9; 
page 14, lines 15-20); 

judging whether or not an instruction code for calling an instruction code group 
for executing a predetermined process is associated with the branch destination 
address (page 26: 1|18; page 27, lines 8-15; page 29, lines 3-12); 

storing a call destination address of the instruction code if the instruction code is 
associated with the branch destination address (page 3, lines 1-2; page 9, line 21 - 
page 10, line 5; page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13; page 44, 
see register); and 

judging whether or not the stored call destination address is between the branch 
origin address and the branch destination address (page 9, line 21 - page 10, line 5; 
page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13); 

Hollander teaches: 

judging whether or not a process executed based on the instruction codes 
contained in the received data is a malicious process (Fig 4B, all elts: col 4, lines 62- 
65). 
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It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 

The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is known in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the initial point of execution is obscured as is 
commonplace in polymorphic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
between the branch origin address and the branch destination address" to mean 
analyzing any code in an executable program. 

The combination of Sakai and Hollander teaches concluding that the process 
executed based on the instruction codes contained in the data is a malicious process 
(Hollander: col 1 , line 64 - col 2, line 3; Fig 4B, all elts: col 4, lines 62-65), when the 
instruction code for calling the instruction code group for executing the predetermined 
process is associated with the branch destination address and the call destination 
address of the instruction code is between the branch origin address and the branch 
destination address (Sakai: page 9, line 21 - page 10, line 5; page 17, lines 21-23; page 
22, lines 8-16; page 25, lines 4-13). 
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Re claim 3 : The combination of Sakai and Hollander teaches means forjudging 
whether or not a predetermined character string is associated with a return address of 
the instruction code group, wherein if the character string is associated with the return 
address, the information indicating that the data is data for executing a malicious 
process is outputted (Sakai: pages 37 and 40: "CALL and RET instruction detecting 
parts;" page 42: "Branch origin/destination registers;" Hollander: Fig 4B, all elts). 

Re claim 8 : Sakai teaches a data processor comprising: 

an input unit for inputting data containing a plurality of instruction codes (page 2, 
lines 1-2); 

a storing unit for storing the data input by the input unit (page 2, lines 1-2); and a 
controller capable of performing operations (page 2, lines 1-2) of: 

retrieving an instruction code related to a branch instruction from the data stored 
in the storing unit (page 18, lines 12-17); 

storing a branch origin address associated with the retrieved instruction code 
(page 13, lines 5-9; page 14, lines 15-20) and a branch destination address associated 
with a branch destination of the instruction code in the storing unit (page 8, fourth step; 
page 13, lines 5-9; page 14, lines 15-20); 

judging whether or not an instruction code for calling an instruction code group 
for executing a predetermined process is associated with the branch destination 
address (page 26: 1|18; page 27, lines 8-15; page 29, lines 3-12); 

storing a call destination address of the instruction code in the storing unit if the 
instruction code is associated with the branch destination address (page 3, lines 1-2; 
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page 9, line 21 - page 10, line 5; page 17, lines 21-23; page 22, lines 8-16; page 25, 
lines 4-13; page 44, see register); 

judging whether or not the stored call destination address is between the branch 
origin address and the branch destination address (page 9, line 21 - page 10, line 5; 
page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13). 

Hollander teaches: 

concluding that the process executed based on the instruction codes contained 
in the data is a malicious process (Fig 4B, all elts: col 4, lines 62-65). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 

The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is known in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the initial point of execution is obscured as is 
commonplace in polymorphic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
between the branch origin address and the branch destination address" to mean 
analyzing any code in an executable program. 
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The combination of Sal<ai and Hollander teaches the instruction code for calling 
the instruction code group for executing the predetermined process is associated with 
the branch destination address and the call destination address of the instruction code 
is between the branch origin address and the branch destination address (Sakai: page 
9, line 21 - page 10, line 5; page 17, lines 21-23; page 22, lines 8-16; page 25, lines 4- 
13). 

Re claim 9 : Sakai teaches a data processor comprising: 
an input unit for inputting data containing a plurality of instruction codes (page 2, 
lines 1-2); 

a storing unit for storing the data input by the input unit (page 2, lines 1-2); and 
a controller capable of performing operations (page 2, lines 1-2) of: 
retrieving an instruction code for calling an instruction code group for executing a 
predetermined process from the data (page 18, lines 12-17). 
Hollander teaches: 

concluding that the process executed based on the instruction codes contained 
in the data is a malicious process (Fig 4B, all elts: col 4, lines 62-65). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 
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The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is l^nown in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the Initial point of execution is obscured as Is 
commonplace In polymorphic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
between the branch origin address and the branch destination address" to mean 
analyzing any code In an executable program. 

The combination of Sakai and Hollander teaches 

judging whether or not a predetermined character string is associated with a 
return address of the instruction code group (Sakai: pages 42-43, elts: ST32 & ST35). 

concluding that the process executed based on the Instruction codes contained 
In the data Is a malicious process when the instruction code for calling the instruction 
code group for executing the predetermined process is in the data and the 
predetermined character string is associated with the return address of the instruction 
code group (Hollander: Fig 3, all elts: col 4, lines 57-58; col 5, lines 12-16). 

Re claim 10 : Sakai teaches a data processor comprising: 

an Input unit for inputting data containing a plurality of instruction codes (page 2, 
lines 1-2); 

a storing unit for storing the data input by the input unit (page 2, lines 1-2); and 
a controller capable of performing operations (page 2, lines 1-2) of: 
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retrieving an instruction code for calling an instruction code group for executing a 
predetermined process from the data (page 26: 1|18; page 27, lines 8-15; page 29, lines 
3-12); 

judging whether or not an instruction code for obtaining a return address of the 

instruction code group is contained in the instruction code group if the instruction code 
is retrieved (page 6: eighth step; page 19: 1|13; page 41 : ST2; page 44: 7). 
Hollander teaches: 

concluding that the process executed based on the instruction codes contained 
in the data is a malicious process (Fig 4B, all elts: col 4, lines 62-65). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to have modified the teachings of Sakai with the teachings of 
Hollander, for the purpose of detecting hostile executable code. Both references are 
within the realm of the claimed invention as both references are directed to tracing the 
execution of computer code. 

The Examiner holds that the branch origin address and branch destination 
address within a computer program need not have a specific order within a computer 
program. It is known in the art of computer programming, that function calls could 
precede the currently executed statement; such practice is common in code which has 
been obfuscated/scrambled and/or the initial point of execution is obscured as is 
commonplace in polymorphic and metamorphic code. Ergo, the examiner has 
interpreted the limitation "judging whether or not the stored call destination address is 
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between the branch origin address and the branch destination address" to mean 
analyzing any code in an executable program. 

The combination of Sakai and Hollander teaches when the instruction code for 
calling the instruction code group for executing the predetermined process is in the data 
and the instruction code for obtaining the return address of the instruction code group is 
contained in the instruction code group (Sakai: page 9, line 21 - page 10, line 5; page 
17, lines 21-23; page 22, lines 8-16; page 25, lines 4-13). 

Re claim 1 1 : The combination of Sakai and Hollander teaches the malicious 
process causes an erroneous operation in the process executed based on the 
instruction codes contained in the received data (Hollander: Fig 4b, elt 106: col 4, lines 
62-65). 

Conclusion 

Examiner's Note: Examiner has cited particular columns and line numbers in the 
references applied to the claims above for the convenience of the applicant. Although 
the specified citations are representative of the teachings of the art and are applied to 
specific limitations within the individual claim, other passages and figures may apply as 
well. It is respectfully requested from the applicant in preparing responses to fully 
consider the references in entirety as potentially teaching all or part of the claimed 
invention, as well as the text of the passage taught by the prior art or disclosed by the 
examiner. 



Application/Control Number: 10/523,690 Page 1 1 

Art Unit: 2435 

In the case of amending tine claimed invention, Applicant is respectfully 
requested to indicate the portion(s) of the specification which dictate(s) the structure 
relied on for proper interpretation and also to verify and ascertain the metes and bounds 
of the claimed invention. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to DARREN SCHWARTZ whose telephone number is 
(571)270-3850. The examiner can normally be reached on 8am-4pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Kim Vu can be reached on (571 )272-3859. The fax phone number for the 

organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/D. S./ 

Examiner, Art Unit 2435 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



